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DETAILED ACTION 



1. 



Claims 1-5, 8-15, 28-30, 32-41 have been examined. 



Election/Restrictions 



2. Newly submitted claim 31 directed to an invention that is independent or distinct 
from the invention originally claimed for the following reasons: The originally claimed 
invention was clearly drawn to a system wherein policies where capable of being 
dynamically changed. The added limitation is mutually exclusive of the originally 
claimed invention. 

Since applicant has received an action on the merits for the originally presented 
invention, this invention has been constructively elected by original presentation for 
prosecution on the merits. Accordingly, claim 31 is withdrawn from consideration as 
being directed to a non-elected invention. See 37 CFR 1.142(b) and MPEP § 821.03. 

Response to Arguments 

3. Applicant's arguments with respect to claims 1-5, 8-15 have been considered but 
are moot in view of the new ground(s) of rejection. 



Claim Rejections ■ 35 USC §112 



4. 



The following is a quotation of the first paragraph of 35 U.S.C. 112: 



The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
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art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

5. Claims 1-5, 8-15, 28-30, 32-41 are rejected under 35 U.S.C. 1 12, first paragraph, 
as failing to comply with the written description requirement. 

6. The limitations "excluding from at least one of the plurality of interconnection 
devices a common agent framework for effecting signal transfer policy changes" and 
"wherein there is no common agent framework distributed among the plurality of 
interconnection devices to establish therein either or both intrusion detection function 
and the function to change selectively the signal transfer policies" is a negative limitation 
that renders the claim indefinite because it is an attempt to claim the invention by 
excluding what the inventors did not invent rather than distinctly and particularly pointing 
out what they did invent. Any negative limitation or exclusionary provision must have 
basis in the original disclosure. The newly introduced limitation; however, in fact is 
contradictory to the original specification. See MPEP 2173.05(i). The applicant's 
specification clearly states at page 5 annotated paragraph (11) "In effect, the DIRS 
enables all network infrastructure devices to be intrusion response devices as means to 
enforce policy changes associated with network usage security". Clearly the cited 
recitations impart the excluded functionality within all interconnection devices of the 
applicant's invention. Further recitations on page 16 at paragraph (14) states 
"...includes one or more distributed network infrastructure enforcement devices directly 
or indirectly connected to the policy manager function and with the capability to be 
configured to enforce security, usage, and/or network access policies managed by the 
policy manager function". Thereby directly performing what the applicant excludes in 
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the newly added claim limitations. From these recitations the written description clearly 
does not support the claim language since the ability of "effecting signal transfer policy 
changes" is clearly provided for within all interconnection devices, wherein the "effecting 
signal transfer policy changes" occurs by means of the "capability to be configured to 
enforce security, usage, and/or network access policies managed by the policy 
manager function", which all clearly effect policy change by a manner of enforcement or 
data provisions. Furthermore, the usage of the term "common agent framework" is not 
supported within the applicant's disclosure and one of ordinary skill would not readily be 
able to ascertain the meaning of the term from the applicant's specification. 

7. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

8. Claims 15, 30, 32-41 are rejected under 35 U.S.C. 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject matter 
which applicant regards as the invention. 

9. Claim 30 directly contradicts its own recitation wherein the claim first states that 
interconnection devices have a function in order to change policies based upon 
detected intrusions and then subsequently claims the antithesis of this wherein the 
interconnection device does not have such functions to change the policies. 

10. Claim 15 recites the limitation "signal transferring devices" in line 3. There is 
insufficient antecedent basis for this limitation in the claim. 
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Claim Rejections - 35 USC § 103 

1 1 . The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

12! Claims 1-5, 8-15, and 28-30, 32-41 are rejected as best understood under 35 

U.S.C. 103(a) as being unpatentable over Huff et al International Publication No. WO 

99/57625 (hereinafter "Huff") and Sung et al United States Patent Application 

Publication No. 2004/0215972 A1 (hereinafter "Sung"). 

1 3. Huff teaches a distributed intrusion detection method and manner of responding 
to such but fails to explicitly teach excluding intrusion detection functions from at least 
one or more interconnection devices. 

14. However, in related art, Sung teaches a system for distributed intrusion detection 
using intelligent agents wherein the agents are selectively distributed. (Sung 
paragraphs 83, 85, 95, 101) 

1 5. Sung teaches that is a desirable feature to be able to dynamically distribute 
agents to selected locations (Sung paragraph 101). 

16. The combination of these two systems clearly represents the teachings of Huff 
wherein agents are dynamically distributed to nodes and not distributed to every node in 
order to provide for a more efficient system as outlined by Sung. 
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17. It would have been obvious to one of ordinary skill in the art at the time of the 
applicant's invention to combine Sung with Huff in order to provide for a more scalable 
efficient implementation based upon network size, traffic conditions, and computational 
load. 

1 8. Regarding Claim 1 : A method of responding to the detection of an intrusion on a 
network system that provides network services, the network system including one or 
more attached functions and a plurality of interconnection devices, the method 
comprising the steps of: a. establishing signal transfer policies for each of the plurality 
of interconnection devices: (Huff Fig 3-4, pg 4 line 11 - pg 7 line 11, pg 13 lines 10-12, 
pg 14 lines 6-12, pg 15 lines 3-11, pg 17 lines 14-25, pg 18 lines 1- pg 19 line 25) 

b. monitoring the network system for intrusions (Huff Abstract, Fig 1, 3, pg 5 lines 2-5) 

c. excluding from at least one of the plurality of interconnection devices a common 
agent framework for effecting signal transfer policy changes: (Sung paragraphs 83, 85, 
95, 101) 

d. upon detection of one or more intrusions of the network, selectively changing one or 
more signal transfer policies of one or more of the plurality of interconnection devices in 
response to the one or more detected intrusions (Huff pg 5 lines 6-9, 12-16, pg 12 line 
29 - pg 13 line 3, pg 18 line 27 - pg 19 line 13, pg 20 lines 3-5, pg 21 lines 10-13) 
Identifying the source of the intrusion occurs two fold within the system of Huff by not 
only detecting the device on the local network where the issue arises but by tracing the 
remote location as well. 
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19. Regarding Claim 2: The method as claimed in Claim 1 wherein the step of 
identifying one or more sources of the intrusions, including the step of identifying a 
physical address or a logical address of each of the one or more identified sources (Huff 
pg 8 lines 24-30, pg 1 1 lines 5-23, pg 12 line 30 - pg 13 line 2, 23-27, pg 18 line 27 - pg 
19 line 13, pg 20 lines 3-5, pg 21 lines 10-13) 

20. Regarding Claim 3: The method as claimed in Claim 2 wherein the physical 
address information is a MAC address or the logical address information is an IP 
address (Huff pg 8 lines 24-30, pg 11 lines 5-23, pg 12 line 30 - pg 13 line 2, 23-27, pg 
18 line 27- pg 19 line 13, pg 20 lines 3-5, pg 21 lines 10-13) As provided by Huff the 
use of Ethernet type networks dictates that for address resolution purposes, which is an 
inherent functionality of such a network, addresses are stripped from packets which 
contain both MAC and IP type addresses. Furthermore, as stated since all devices are 
addressable on the network and the implementation of any such protocol as TCP/IP 
dictates resolution of such devices occurs via a MAC address associated to an IP 
address. 

21. Regarding Claim 4: Including in at least one of the plurality of interconnection 
devices the capability for such interconnection devices to change directly their own 
signal transfer policies (Huff pg 4 lines 8- pg 5 line 10) 

22. Regarding Claim 5: Employing an intrusion detection device of the network 
system to perform the function of detecting the one or more intrusions, wherein the 
intrusion detection device is either a centralized network infrastructure device or a 
plurality of distributed network system devices (Huff Fig 3, pg 4 line 1 1 - pg 7 line 1 1 , pg 
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1 1 lines 25-30; Sung paragraph 28) the intrusion detection function is centralized by the 
security server that controls actions taken by the distributed agents in effect being both 
centralized and distributed. 

23. Regarding Claims 8, 28, 29: The method as claimed in Claim 2 the step of 
identifying one or more of the plurality of interconnection devices associated with the 
one or more identified sources of intrusions, including the step of determining the 
physical address, logical address, or both for each of the identified one or more 
interconnection devices (Huff pg 8 lines 10-30, pg 11 lines 5-23, pg 12 line 30 - pg 13 
line 2, 23-27, pg 18 line 27 - pg 19 line 13, pg 20 lines 3-5, pg 21 lines 10-13) 
Resolution of addresses in order to send messages and communicate actions must 
take place via such a path. 

Verifying the Identity of the identified one or more sources (Huff pg 5 lines 1-10; Sung 
paragraphs 109-133) as taught by both Huff and Sung there are measures for tracking 
the source of the intrusion. 

24. Regarding Claim 9: The method as claimed in Claim 2 further comprising the 
step of verifying the identification of the identified one or more sources (Huff pg 5 lines 
6-9, 12-16, pg 12 line 29 - pg 13 line 3, pg 18 line 27 - pg 19 line 13, pg 20 lines 3-5, 
pg 21 lines 1 0-1 3) Huff states that agents serve to verify the identity of the source 
through the steps of tracing. 

25. Regarding Claim 10: The method as claimed in Claim 1 wherein the step of 
selectively changing one or more signal transfer policies of one or more of the plurality 
of interconnection devices in response to the one or more detected intrusions includes 
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the step of configuring the one or more interconnection devices to perform one or more 
functions selected from the group consisting of: blocking complete access to the 
network services by the identified one or more sources of a detected intrusion , blocking 
access by identified logical addresses only, blocking access by an identified access 
protocol only, limiting bandwidth, limiting exchanges to or from the identified one or 
more interconnection devices, to or from one or more other devices of the network 
system, or to or from any of the attached functions not identified as an intrusion source 
(Huff pg 4 line 1 1 - pg 7 line 1 1 , pg 18 line 1 -pg 19 line 25, pg 22 lines 3-20; Sung 
paragraphs 19-21, 79, 108) The intruder is either disabled through policy changes or is 
misdirected toward information that cannot be harmed in order to collect further 
information about the intruder. 

and directing all signals exchanged by the identified one or more sources to a honey- 
pot, an intrusion detection device, a monitoring device, or a simulation device (Huff pg 
18 line 1 -pg 19 line 25, pg 20 lines 2-8, pg 20 lines 27- pg 21 line 1 , pg 21 lines 10-30, 
pg 22 lines 3-20) The intrusion system directs all information back to the central server 
which stores information within a database, and also as outlined provides for 
misdirecting the intruder in order to collect further information. 
26. Regarding Claim 1 1 : The method as claimed in Claim 1 wherein the step of 
selectively changing one or more signal transfer policies of one or more of the plurality 
of interconnection devices in response to the one or more detected intrusions includes 
the step of configuring the identified one or more interconnection devices to permit 
connectivity of the identified sources of a detected intrusion while dampening the level 
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of activity associated with the identified one or more sources to minimize network harm 
while permitting analysis and auditing of the identified one or more sources and the 
gathering of forensic evidence (Huff pg 17 line 18 - pg 19 line 14, pg 21 line 6 - pg 22 
line 19; Sung paragraph 108) as recited the intruder is misdirected toward data to 
decrease any possible harm to the network in order to collect data about the attacker. 

27. Regarding Claim 12: The method as claimed in Claim 1 wherein the step of 
selectively changing one or more signal transfer policies of one or more of the plurality 
of interconnection devices in response to the one or more detected intrusions includes 
the steps of first configuring a first set of the one or more interconnection devices with a 
first set of one or more policy changes, monitoring the network system for intrusions 
and, upon detection of one or more intrusions related to the intrusions causing the first 
one or more policy changes, configuring a second set of the one or more 
interconnection devices with a second set of one or more policy changes (Huff pg 17 
line 18 - pg 19 line 14, pg 21 line 6 - pg 22 line 19; Sung paragraph 108) Audit levels 
may be changed as well as having the attacker misdirected for further examination. 
Upon detection of further activity from the increase in auditing further actions can be 
taken by the system to have the attacker disabled or misdirected through policy 
changes on the specific devices. 

28. Regarding Claim 13: The method as claimed in Claim 12 wherein one or more of 
the one or more interconnection devices of the second set are interconnection devices 
of the first set (Huff fig 3, pg 15 lines 3-11, pg 17 lines 8-22, pg 18 lines 1-12, pg 19 
lines 1-14) The system has agents on nodes that monitor for intrusions, when an 
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intrusion or suspicious activity is detected the audit level can be increased and upon 
further inspection if such activity is determined to be inappropriate further action can be 
taken by the agent. 

29. Regarding Claim 14: The method as claimed in Claim 1 wherein the one or more 
interconnection devices are network entry devices (Huff Fig 1, page 8 lines 10-14, 20- 

30, pg 9 lines 12-15, pg 13 lines 24-26) Such devices as servers, hosts, and any other 
well-known network addressable nodes are anticipated by Huff as containing the 
agents, such devices as firewalls, VPNs and switches/routers are embodied as network 
computing devices and thus are anticipated by the present invention. 

30. Regarding Claim 15: The method as claimed in Claim 1 wherein the one or more 
policy changes are configured on one or more ports of one or more of the identified one 
or more signal transferring devices (Huff pg 14 lines 26— pg 15 line 2) Huff provides for 
configuring agents through associated ports. 

31 . Regarding Claim 33: a directory service function for receiving address 
information for attached functions and interconnection devices; (Huff Fig 4, pg 18 lines 
15-26) Huff provides a directory of all monitored devices and there associated 
enforcement mechanisms. 

32. Regarding Claim 34: a policy manager function for configuring interconnection 
devices of the network infrastructure with policies (Huff Fig 4, pg 18 lines 15-26) There 
are means associated with the directory for changing policies and also within the 
automatic response for implementing and changing policies. 
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33. Regarding Claim 35: Policy decision function configured: a. to receive detected 
intrusion information from the intrusion detection functions; 

To receive information from the directory service functions; 

To evaluate whether a policy change or changes is or are required on one or more of 
the interconnection devices in response to the detected intrusion information; and to 
direct the policy manager functions to configure one or more of the plurality of 
interconnection devices with determined policy changes upon deciding to do so based 
upon the evaluation. (Huff figure 3, page 5 lines 10-16; Sung paragraph 108) Clearly 
the centralized server of Huff performs the correlate between agents and response 
when an automatic response present and further Sung anticipates such changes as 
detailed by the dynamic distribution of agents and the learning response of the system. 

34. Regarding Claim 36: The policy manager function and the policy decision 
function are part of a centralized server. (Huff figure 3) Huff provides for both the 
distributed and centralized policy decisions. 

35. Regarding Claim 37: The directory service function is part of the central server 
(Huff Figure 3) 

36. Regarding Claim 38: The intrusion detection function is a centralized intrusion 
detection function or a distributed intrusion detection function (Huff Figure 3) 

37. Regarding Claim 40: a network management system for identifying address 
information for the plurality of interconnection devices (Huff figure 4) 

38. Claims 30, 32, 39, 41 are further embodiments of the above rejected claims and 
as such are rejected on the same basis. 
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Conclusion 

39. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. Applicant is reminded that in amending in response to a rejection 
of claims, the patentable novelty must be clearly shown in view of the state of art 
disclosed by the references cited and the objections made. Applicant must show how 
the amendments avoid such references and objections. See 37 CFR 1.111(c). 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Thomas Szymanski whose telephone number is 571- 
272-8574. The examiner can normally be reached on M-F 8-4:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, KambizZand can be reached on 571-272-3811. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



